Executive Summary

CRIL identified an active Maranhão Stealer campaign that is being distributed through social engineering websites hosted on cloud platforms. Current intelligence indicates that the malware has been active since May 2025 and is actively being developed. Available intelligence shows the malware has been active since May 2025 and is undergoing ongoing development.

The threat actors primarily target gaming users by distributing gaming-related links, cheats, and pirated software downloads. (e.g., hxxps://derelictsgame.in/DerelictSetup.zip). The ZIP archives include an Inno Setup installer, which launches a Node.js-compiled binary responsible for exfiltrating credentials.

Key takeaways

• Maranhão Stealer is actively spreading through social engineering websites that distribute pirated software, cracked game launchers, and cheats, leveraging cloud-hosted platforms for delivery.
• The malware is written in Node.js and packaged as an Inno Setup installer, reflecting a trend in modern stealer campaigns.
• It establishes persistence through Run registry keys and scheduled tasks, hides its payloads as system and hidden attributes, and performs detailed host reconnaissance, including hardware, network, and geolocation profiling.
• Sensitive information such as credentials, cookies, browsing history, and wallet data is harvested through reflective DLL injection into browsers, bypassing protections like AppBound encryption.
• Exfiltration is carried out to attacker-controlled infrastructure, including multiple maranhaogang[.]fun API endpoints, enabling infection tracking, victim monitoring, and stolen data uploads.

Overview

CRIL identified an active Maranhão Stealer campaign that is being distributed through social engineering websites hosted on cloud platforms. Based on the intel gathered so far, we believe the malware has been active since May 2025 and is still in active stages of development.

The threat actors lure victims by creating gaming-related links, cheats, and pirated software downloads (e.g., hxxps://derelictsgame.in/DerelictSetup.zip). The stealer malware is delivered as an Inno Setup installer, which, upon execution, drops a Node.js-compiled binary package.

The depiction of the kill chain is shown below. (see Figure 1)

Once executed, the malware disguises itself in a directory named “Microsoft Updater” located under %localappdata%\Programs. It achieves persistence by creating Run registry keys and a scheduled task before launching its main component, updater.exe. From this point, the malware conducts extensive system reconnaissance, screen capturing, and credential theft, with a particular focus on web browsers and cryptocurrency wallets. To evade security controls such as Chrome’s AppBound encryption, it employs reflective DLL injection into browser processes, enabling reliable access to sensitive data, including cookies, stored credentials, and session tokens.

Stolen artifacts—including credentials, cookies, browser history, and system details—are staged locally before being exfiltrated to attacker-controlled infrastructure, including the domain maranhaogang[.]fun.

The initial variant of Maranhão Stealer, dated back to May 2025, was a simpler build that relied on PsExec to spawn child processes such as taskkill and a Go-based utility named decryptor.exe, which was dropped directly into the C:\Windows directory for plaintext password recovery.  Artifacts associated with the group were present in the file details as well. (See Figure 2)

In contrast, the newer versions removed traces of these clear artefacts and have shifted to dropping their components under “C:\Users\MalWorkstation\AppData\Local\Programs\Microsoft Updater”. The password-decrypting functionality is now embedded in infoprocess.exe, written in Go but obfuscated for stealth. Instead of using PsExec, the malware now creates child processes directly through Win32 API calls, reflecting a clear evolution toward stealthier and more sophisticated execution techniques.

While minor variations have appeared across different Maranhão Stealer samples, the core functionality and operational objectives remain consistent. The campaign demonstrates how threat actors blend social engineering, commodity tools, and modern development stacks to distribute sophisticated information-stealing malware at scale.

Technical Analysis

Infection vector:

The infection vector relies on social engineering through pirated software and gaming-related content. Threat actors distribute trojanized installers, cracked launchers, and cheats, luring users into execution under the guise of popular or modified games. Some examples are listed below:

• Fnafdoomlauncher.exe
• essentiallauncher.exe
• Silent Client.exe
• Fnaf.exe
• clonets.exe
• VersionX64_Setup.exe
• slinky.zip
• Install ROOTED.exe
• RootedTheGameSetup.zip
• Slinkyhook.exe

We performed a technical analysis of a recently identified binary

SHA-1: 97813e1c66dc8922b8242d24a7a56409b57ce19c61042ffda93031c43a358b9b

Filename: Fnafdoomlauncher.exe

Installer: Inno Setup Module (v6.4.3)User Execution

The installer, packaged with Inno Setup, runs in “/VERYSILENT” mode to suppress installation dialogs and reduce user awareness. Once complete, it drops multiple components—updater.exe, crypto.key, and unins000—into the directory C:\Users\<username>\AppData\Local\Programs\Microsoft Updater. (See Figure 3)

The main binary (updater.exe) is then launched with the command-line argument e90de8b2-eb79-4614-94f8-308f0f81573b. This unique identifier, also stored in crypto.key, is used both for victim identification and within the malware’s network communications.

Persistence

Upon execution, updater.exe establishes persistence by creating a Run registry key via reg.exe, adding an entry that ensures the binary located in the Microsoft Updater directory is executed automatically at every user logon. (See Figure 4)

Command: reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run

/v updater /t REG_SZ   /d “\”C:\Users\MalWorkstation\AppData\Local\Programs\Microsoft Updater\Updater.exe\”” /f

Masquerading, Hidden Files/Directories

Following the persistence setup, the malware attempts to evade detection by disguising its components. Files within the Microsoft Updater directory are marked with both the System and Hidden attributes using attrib.exe, as shown below. (See Figure 5)

• attrib +h +s infoprocess.exe
• attrib +h +s crypto.key
• attrib +h +s “C:\Users\MalWorkstation\AppData\Local\Programs\Microsoft Updater”
• attrib +h +s “C:\Users\MalWorkstation\AppData\Local\Programs\Microsoft Updater\updater.exe”

System Information Discovery, System Location Discovery

The updater.exe executes a series of WMI queries to enumerate host details, including the operating system version, processor model, graphics controller, hardware UUID, and logical disk information such as size and available free space. This reconnaissance allows the malware to fingerprint the environment, identify potential virtualization or sandboxing, and assess the host’s suitability for further exploitation.

• wmic os get Caption
• wmic cpu get Name
• wmic path win32_VideoController get Name
• wmic csproduct get UUID
• wmic logicaldisk get Caption,FreeSpace,Size,Description /format:list

In addition to hardware and system profiling, the malware collects network and geolocation details by sending a request to ip-api.com/json. The response provides information such as the country and country code, region and city, ZIP code, latitude and longitude, time zone, ISP, organization, and ASN.  (See Figure 6)

Screen Capture

Continuing its reconnaissance activities, the stealer (updater.exe) also implements screen capture functionality to collect visual information from the victim’s environment. It uses inline C# code within PowerShell to enumerate all connected displays (Screen.AllScreens) and capture the contents of each screen (See Figure 7).

For every detected monitor, the script:

• Determines screen boundaries and resolution.
• Creates a bitmap image of the display.
• Copies pixel data using Graphics.CopyFromScreen.
• Saves the images as sequential PNG files (Display (1).png, Display (2).png, etc.).

This capability allows the threat actor to exfiltrate sensitive information, monitor user activity, and validate the compromise, complementing the system information previously collected.

Credentials from Web Browsers

After completing initial system reconnaissance, the stealer payload (updater.exe) shifts its focus to data theft from web browsers. In our analysis environment, the malware was observed actively collecting data from Google Chrome, Microsoft Edge, Brave, and Opera. For these browsers, it systematically enumerates user profiles and extracts artifacts such as browsing history, cookies, download records, and saved login credentials. (See Figure 8)

Interestingly, additional targets — including other browsers and cryptocurrency wallets — were identified in memory dump analysis, although they were not directly accessed during execution in our setup.

This suggests that the malware has broader capabilities and can adapt its behaviour depending on the victim’s environment.

Reflective DLL Injection:

The injection chain begins with updater.exe, which spawns a secondary process named infoprocess.exe and passes the targeted browser’s name as a parameter (e.g., Chrome, Edge, Brave). The helper process then launches the specified browser in headless mode, allowing the malware to interact with it without displaying a visible browser window. (See Figure 9)

Once the browser is running, infoprocess.exe extracts a malicious module (PAYLOAD_DLL) from its resources and injects it into the browser’s memory space (e.g., chrome.exe). This injection is carried out using low-level Windows APIs such as NtAllocateVirtualMemory and NtWriteProcessMemory, which map the DLL into the target process. (Figure 10)

The injected code is then executed via CreateThreadEx, giving the malware the ability to run inside the browser context. From there, it attempts to retrieve encrypted sensitive information, such as stored credentials and cookies. The stolen data is transmitted back to the calling process over a dedicated named pipe (\\.\pipe\ChromeDecryptIPC_). (See Figure 11)

As this process completes, the stealer consolidates the harvested browser data and stores it in the %temp% directory, staging it for later exfiltration to the attacker’s infrastructure. (See Figure 12)

Command and Control

After gathering system information, screenshots, and sensitive browser data, updater.exe establishes a connection to the attacker-controlled endpoint at 104.234.65.186.

This communication serves as a notification of successful infection. During this phase, the malware transmits key details about the compromised host, including a unique user identifier (derived from crypto.key), the victim’s IP address, geographic location (country), and operating system information. (See Figure 13)

The malware was also observed reaching out to several API’s hosted under the domain maranhaogang[.]fun, which serves as the attacker panel. (see Figure 14)

The list of URLs identified during our analysis is:

• hxxps://api.maranhaogang.fun/infect
• hxxps://api.maranhaogang.fun/victim
• hxxps://api.maranhaogang.fun/upload

These endpoints appear to serve distinct roles within the attacker’s command-and-control (C2) infrastructure, likely handling initial infection reporting, victim tracking, and the exfiltration of stolen data.

Conclusion

The Maranhão Stealer campaign demonstrates threat actors’ continued reliance on social engineering via pirated gaming software as an effective infection vector.

Its design clearly emphasizes credential harvesting and cryptocurrency theft, coupled with obfuscation and persistence techniques to evade casual detection. The inclusion of reflective DLL injection and AppBound-aware data collection further underlines its sophistication.

If successful, infections could lead to widespread credential compromise, account hijacking, theft of digital assets, and further malware deployment within victim environments.

Recommendations

• Deploy advanced endpoint detection and response (EDR) solutions to monitor suspicious behaviours such as process injection, registry modifications, and unusual API calls.
• Implement network monitoring to identify unauthorized exfiltration attempts and suspicious outbound traffic to attacker-controlled infrastructure.
• Integrating threat intelligence feeds into firewalls and proxies to strengthen defenses against newly emerging campaigns.
• Restrict the execution of unauthorized binaries using application allowlisting or application control policies.
• Develop and maintain clear incident response (IR) playbooks for malware infections, ensuring security teams can act quickly when a compromise is detected.

MITRE Tactic and Techniques

Indicators of Compromise (IOCs)